How Dozens of Companies Know You're Reading About Those NSA Leaks

As news websites around the globe are publishing story after story about dragnet surveillance, these news sites all have one thing in common: when you visit these websites, your personal information is broadcast to dozens of companies, many of which have the ability to track your surfing habits, and many of which are subject to government data requests.

How Does This Happen?

When you load a webpage in your browser, the page normally includes many elements that get loaded separately, like images, fonts, CSS files, and javascript files. These files can be, and often are, loaded from different domain names hosted by different companies. For example, if a website has a Facebook Like button on it, your browser loads javascript and images from Facebook's server to display that Like button, even if the website you're visiting has nothing to do with Facebook.

Why Does This Matter?

Each time your browser makes a request it sends the following information with it:

All of these websites, by loading third party resources from servers controlled by major providers like Facebook, Google, and others, are sending information about their visitors to companies subject to US government data requests. While these news companies themselves could directly recieve requests for this data, the fact that they voluntarily send this data to the same small, centralized group of third parties makes these third parties convenient and attractive targets to collect visitor information from vast swaths of the web. Once a website sends data to a third party, it no longer has the power to stand up for its users against unconstitutional government requests for that data.

These sites are for the most part not actively attempting to diminish the privacy of their users. Rather, there are several factors that converge that make it commonplace to include third party resources. First, services like Google Analytics are very popular and provide an easy way to do analytics. Second, it's commonly considered a good practice for websites to include jQuery and load webfonts from servers run by Google, since these will load fast and reduce the burden on your servers. Finally, including Facebook Like buttons and other social media widgets on your website is one of the best ways to gain social media traction.

It's time for these "best practices" to change, so we can avoid giving the government a one-stop shop for your data. In a future blog post we'll discuss ways that web developers and companies can mitigate privacy risks related to third party resources from their websites.

In contrast to the websites listed above, when you visit eff.org, your browser doesn't make any requests to any third parties. We've long been aware of the privacy dangers inherent in loading third party resources, and our privacy policy states:

We do occasionally allow our website to interact with other services, like social networking, mapping, and video hosting websites. It is our policy not to include third-party resources when users initially load our web pages, but we may dynamically include them later after giving the user a chance to opt-in. If you believe a third-party resource is automatically loading, please let us know so we can address it.

The Importance of a Strong Do Not Track Standard

Given the proliferation of information flowing to third parties, it is critical that we develop a strong Do Not Track (DNT) standard that forbids third parties from collecting and retaining information derived from a user's visit to a website once that user has enabled DNT in her browser. Unfortunately, the W3C Tracking Protection Working Group is working on a standard that is far too watered down, and hence unlikely to offer real privacy protections to users. This leaves users exposed to data collection not only by the companies themselves, but also by the NSA and other agencies who might seek to obtain the information from these third parties. We very much hope that in the next month or so before the working group winds down, we arrive at a strong Do Not Track standard that helps to protect users from this type of abuse.

What Can Users Do?

If you really want to be in control of exactly which third party requests your browser makes, use RequestPolicy for Firefox. It's a browser extension that blocks all third party resources by default, and then lets you choose which resources you want your browser to load for which websites. But be warned, the problem with third party resources is so prevalent that RequestPolicy will break the layout and functionality of almost every single site until you allow specific third party requests for those sites.

It's unfortunate that protecting privacy on the web requires determined users that are willing to be inconvenienced for privacy. We need to work towards a long-term technical ecosystem that will better protect the privacy of who visits what websites. We also need strong privacy laws that protect user data from unconstitutional surveillance, and the transparency necessary to ensure these laws cannot be bypassed in secret.

Related Updates

With our coalition partners, we submitted a letter in support of Berkeley's proposed Surveillance Technology Use and Community Safety Ordinance. Now more than ever, local leaders have a special responsibility to protect vulnerable residents from suspicionless monitoring and the creation of databases exploitable for discriminatory ends.

Many groups in the Electronic Frontier Alliance work to ensure that their neighbors have the tools they need to maintain control of their information. Others devote their efforts to community organizing or advocacy, assuring that authorities respect the civil and privacy rights of people in their community. For over...

WASHINGTON, D.C.—The Electronic Frontier Foundation (EFF) asked the Supreme Court to review and overturn an unprecedented ruling allowing the government to intercept, collect, and store—without a warrant—millions of Americans’ electronic communications, including emails, texts, phone calls, and online chats. This warrantless surveillance is conducted by U.S. intelligence agencies...

Since last year, Indian citizens have been required to submit their photograph, iris and fingerprint scans in order to access legal entitlements, benefits, compensation, scholarships, and even nutrition programs. Submitting biometric information is needed for the rehabilitation of manual scavengers, the training and aid of disabled people, and anti-retroviral...

We're finally going to get some honesty on how the NSA spies on innocent Americans' communications. A federal judge late last week in Jewel v. NSA, EFF’s landmark case against mass surveillance, ordered [PDF] the government to provide to it all relevant evidence necessary to prove or deny...

On May 9, the Public Safety Committee of the Oakland City Council voted unanimously to approve a proposed “Surveillance and Community Safety Ordinance.” The measure, passed on to the Council by the city’s Privacy Advisory Commission, is modeled on a law enacted in spring 2016 by Santa...

Lawyers at EFF, the ACLU, and the National Association of Criminal Defense Lawyers released a report today outlining strategies for challenging law enforcement hacking, a technique of secretly and remotely spying on computer users to gather evidence. Federal agents are increasingly using this surveillance technique, and the report...